As part of my role as European Editor for The SANS Institute’s NewsBites newsletter I was invited to the recent release of the SANS Top 20 list.
The list was launched in partnership with the NISCC who are responsible for protecting the UK’s Critical Network Infrastructure. There were some interesting messages given at that meeting that I felt would be worthwhile sharing with you.
Firstly the list is no longer known as the SANS Top 20 Vulnerabilities. Instead it is now known as the SANS Top 20 Internet Security Attack Targets. The list is available at http://www.sans.org/top20. The reason for the name change is to move the focus away from the vulnerabilities themselves and more onto how those vulnerabilities are being used to attack organisations.
The type of attacks have continued to move away from attacks targeting the operating system and now focus on other areas such as Applications (esp. MS Office), web applications, network devices and people. USB devices were highlighted as a major risk with many corporate secrets being copied onto thumb drives, iPods or MP3 players and transported away.
Voice Over IP got a special mention as a new attack point with systems being exploited for use in Vishing attacks, eavesdropping on conversations, crashing systems to make VOIP services unavailable and hacking systems to reroute long distance calls for free to the hacker but at enormous cost to the victim. The biggest issue identified has been in the rush to reap the cost savings offered by VOIP many companies have overlooked the security issues such as ensuring it is configured securely, patched with the latest updates and default passwords are changed.
The other major point of attack was the people within organisations who are duped into helping attackers by giving them their access details either as a result of a simple phone call posing as someone from the support desk, to using attachments or links in emails to download SpyWare and/or keyloggers onto the victims workstations. It is vitally important that you ensure your security awareness programme is continuous and also consider reducing the access rights people have on their machines, do they really need to have admin access?
The other interesting points from this morning were highlighted by NISCC on the change in the type of attackers and how these attackers are targeting systems. Vulnerabilities are no longer being exploited by the atypical hacker for fame and kudos. Instead hackers are being recruited by organised criminals to extort money from their victims.There now is an active marketplace whereby vulnerabilities, in particular 0 day, are being actively traded and where the more sophisticated and harder to detect attacks are valued more. In some cases hackers are being forced to work for organisation crime syndicates under the threat to their own life or their families. In one case a hacker in Eastern Europe was kidnapped by a criminal gang, transported to Africa and forced to hack into target companies for food.
Hackers are also being recruited by foreign nation states to get competitive information on areas such as technology that can be used by those nations in their own industries. As these attacks are funded by foreign nations they have more resources available making them more sophisticated than other attacks and therefore harder to defend against.
If your organisation is involved in the emerging technology sector, sensitive government information or critical network infrastructure you should review how secure your data is, where is it stored, who has access to it and how do you control that access.
A number of recent news stories reiterate the findings of those at the meeting;
Foreign intelligence agents hacking UK businesses, government warns
Russian spies target Western technology
China bought bomber secrets
The list is an informative and very worthwhile read and I would urge you to review it and use it as an effective aid in helping you protect your data and your company. http://www.sans.org/top20